EP3901714B1 - Method for verifying the authenticity of electronic modules of a modular field device of automation technology - Google Patents

Method for verifying the authenticity of electronic modules of a modular field device of automation technology Download PDF

Info

Publication number
EP3901714B1
EP3901714B1 EP21164325.9A EP21164325A EP3901714B1 EP 3901714 B1 EP3901714 B1 EP 3901714B1 EP 21164325 A EP21164325 A EP 21164325A EP 3901714 B1 EP3901714 B1 EP 3901714B1
Authority
EP
European Patent Office
Prior art keywords
electronic module
key
key pair
field device
replaced
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP21164325.9A
Other languages
German (de)
French (fr)
Other versions
EP3901714A1 (en
Inventor
Thomas Alber
Markus Kilian
Axel PÖSCHMANN
Sascha BIHLER
Simon Merklin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Endress and Hauser Conducta GmbH and Co KG
Original Assignee
Endress and Hauser Conducta GmbH and Co KG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Endress and Hauser Conducta GmbH and Co KG filed Critical Endress and Hauser Conducta GmbH and Co KG
Publication of EP3901714A1 publication Critical patent/EP3901714A1/en
Application granted granted Critical
Publication of EP3901714B1 publication Critical patent/EP3901714B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Program-control systems
    • G05B19/02Program-control systems electric
    • G05B19/04Program control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Program control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25428Field device
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response

Definitions

  • the invention relates to a method for checking the authenticity of electronic modules of a modular field device in automation technology.
  • field devices are often used to record and/or influence physical, chemical or biological process variables.
  • Measuring devices are used to record the process variables. These are used, for example, for pressure and temperature measurement, conductivity measurement, flow measurement, pH measurement, level measurement, etc. and record the corresponding process variables pressure, temperature, conductivity, pH value, level, flow, etc.
  • Actuator systems are used to influence the process variables. Examples of actuators are pumps or valves that can influence the flow of a liquid in a pipe or the level in a container.
  • field devices also include remote I/Os, radio adapters or general devices that are arranged at the field level. In connection with the invention, field devices are all devices that are used near the process or system and that provide or process process- or system-relevant information.
  • Corresponding field devices usually consist of a large number of electronic modules, such as plug-in modules with circuit boards, sensors with digital connections, etc. If an electronic module is replaced or added, there is currently no check to see whether the electronic module is authentic. Currently, an electronic module is usually visually checked and accepted as authentic after a positive visual inspection.
  • the present patent application describes a method for ensuring module authenticity: Is the module really the module it claims to be?
  • the primary aim here is to check whether a certain module is present, whereby the identity is checked and modules of the same construction are not automatically accepted.
  • the manufacturer authenticity is checked, ie whether an electronic module comes from an original manufacturer or from a trustworthy third party or a supplier.
  • both methods could also be used simultaneously or one after the other to check an electronic module.
  • the EP 2 806 599 A1 discloses a method for adding a wireless device to a wireless network using first and second certificates and first and second public keys.
  • the EN 10 2017 111928 A1 comprises a method for the authorized updating of a first operating software of a field device, wherein an authentication check of a second operating software for the field device, signed by means of a first private key assigned to the system, is carried out, wherein, in the event that the authentication check was carried out successfully, the first operating software located on the field device is at least partially replaced by the second operating software.
  • the US 2004/00327 A1 discloses a method in which a vehicle authenticates a potential component for use in the vehicle by obtaining a certification from a certification authority that an authentic component is associated with a cryptographic key.
  • the certification attests that the cryptographic key is bound to information identifying the authentic component.
  • the vehicle uses the cryptographic key obtained from the certification authority in cryptographic communication with the potential component and determines whether the potential component is the authentic component based on whether the cryptographic key is successfully used in the cryptographic communication.
  • the invention is based on the object of automatically detecting a non-authentic electronic module.
  • the object is achieved by a method for checking the authenticity of electronic modules of a modular field device of automation technology according to patent claim 1.
  • Module Trust List It is therefore checked whether the individual modules are present that should be present according to the Module Trust List. If an electronic module is replaced or added, this is detected using the method according to the invention. Integration into the operation is refused if the electronic module cannot prove its authenticity.
  • a field device checks whether the public key of the electronic module is included in the list of electronic modules marked as trustworthy before it includes a replaced or added electronic module in the communication required to operate the field device.
  • the authenticity of an electronic module is usually checked during the runtime of the field device.
  • the key pair assigned to each electronic module is also referred to as the cryptographic identity of the electronic module.
  • Symmetric encryption and asymmetric encryption are known in principle. While in symmetric encryption, encryption and decryption are carried out with an identical key, in asymmetric encryption this is done with two different keys.
  • Asymmetric cryptography often uses RSA-based key pairs that may differ in key length.
  • RSA keys with a length of 2048 bits are already considered critical; those who need more security use key lengths of 3072 or even 4096 bits.
  • the increasing key lengths not only have a negative impact on the storage space required, but also also the performance - both in asymmetric encryption and decryption and, above all, in key pair generation.
  • Significantly more efficient than the RSA cryptosystems based on prime number fields are those that use elliptic curves.
  • a few EC (elliptic curves) have become established. One of them is Curve25519.
  • an asymmetric key pair is used in conjunction with the invention.
  • the asymmetric encryption methods are considered to be very secure because two keys are used that cannot be derived from one another: a public key for encryption and a private key for decryption, or vice versa.
  • the private key always remains with the creator of the key. So either the private key is used for encryption and the public key is used for decryption, or vice versa.
  • the field device or the unit communicating with the field device requests the public key of the replaced or added electronic module and checks whether the public key of the electronic module is stored in the list of public keys classified as trusted.
  • a test is carried out to determine whether the electronic module is in possession of the private key of the appropriate key pair.
  • a challenge-response procedure is used for this test.
  • the fact that an electronic module delivers a trustworthy public key does not prove that this is also the public key belonging to this electronic module. After all, it could also be a fake module that uses an illegally obtained public key. It must therefore be checked whether this electronic module is authentic, i.e. whether the public key supplied actually belongs to this electronic module, whether the electronic module has supplied the correct public key associated with it and whether it can prove this.
  • the challenge-response procedure is preferably used for this proof.
  • the field device or an electronic component sends any message to the replaced or added electronic module requesting the creation of a signature ("challenge").
  • the module signs this message and sends the signature ("response") back to the field device or the requesting electronic module.
  • the field device or the requesting electronic module can now use the signature to check whether the electronic module is in possession of the correct private key.
  • Module k applies a hash procedure to message m and encrypts the received hash value with its private key.
  • the field device decrypts the received signature with the module's public key and compares this with a self-calculated hash value of the sent message.
  • both hash values are identical, which proves that a) the module told the truth because it sent the correct public key and b) that it can also prove this because it has the associated private key.
  • Special algorithms DSA ECDSA, etc.
  • DSA ECDSA etc.
  • an electronic module does not have a suitable key pair or only has one that is based on a different curve or on a different cryptosystem, it cannot participate in the challenge response process. This can be remedied if this electronic module has a generator that can be used to generate such a suitable key pair; alternatively, it must have a corresponding interface and a key memory so that an externally generated key pair can be subsequently written into the electronic module if necessary. In both cases, however, the module must be able to perform the appropriate/related operations, e.g. encryption with the private key.
  • the replaced or added electronic module - especially from the field device - is sent a random message as a challenge with the request to create a signature with the private key.
  • the electronic module signs the message with its private key and sends the signature back as a response.
  • the signature is used to check whether the electronic module is in possession of the private key of the appropriate key pair. Any key pair, in the sense of asymmetric cryptography, is considered suitable. RSA or EC-based key pairs are common. A key pair is a tool. Such a key pair is then used by the field device to determine the authenticity of the electronic module.
  • Suitable can be restricted in a specific case: Both the field device and the electronic module must be able to perform the respective operations (encryption, decryption) with the key pair. If the field device can only do EC and the module can only do RSA, for example, then the invention will not work. If the electronic module cannot do asymmetric cryptography at all, then no suitable key pair exists.
  • the public key of the generated key pair is assigned to the list of electronic modules classified as trustworthy as soon as an authorized person has confirmed the trustworthiness of the electronic module.
  • the public key of the key pair is stored in the list of electronic modules classified as trustworthy if an authorized Person confirms the trustworthiness of the electronic module. This allows the list to grow and contain the public keys of several electronic modules. Of course, when replacing modules, it is a good idea to remove the public key of the replaced module from the Module Trust List.
  • an electronic module does not have a suitable key pair or only has one that is based on a different curve or on a different cryptosystem, it cannot participate in the challenge-response process.
  • this electronic module In order to generate a suitable key pair, this electronic module must have a generator with which such a (suitable) key pair can be generated, or it must have an interface and a key memory so that an externally generated key pair can be written into the electronic module. In both cases, however, the electronic module must master the appropriate / associated requirements and operations (e.g. encryption with the private key).
  • the electronic modules are each provided with a suitable key pair by the original manufacturer or a third party authorized by the original manufacturer during the production process or during a service call; furthermore, the public key of the suitable key pair is stored at the corresponding time in the list of electronic modules classified as trustworthy.
  • the field device is informed by a trusted person that the exchanged or added electronic module is to be considered trustworthy. The field device then transfers the public key of the electronic module to its Module Trust List MTL.
  • the public key of the replaced electronic module is deleted from the list of electronic modules classified as trusted.
  • the verification or test of whether the electronic module is authentic can be carried out while the field device is in operation.
  • a derivation e.g. a hash value, or another independent and unique identification can be used instead of the public key of the electronic module.
  • Fig.1 shows a schematic representation of a field device FG with several electronic modules Mk, which is suitable for carrying out the method according to the invention.
  • This suitable key pair Pk, pk is a prerequisite for the associated electronic module Mk to be able to confirm its authenticity.
  • Each key pair Pk, pk consists of a public key Pk and a private key pk.
  • the public keys Pk of the suitable key pairs Pk, pk are stored in a list MTL, whereby the MTL list is assigned to the field device FG or to a unit U communicating with the field device FG.
  • MTL is the abbreviation for Module Trust List.
  • the list contains the public keys Pk of the electronic modules Mk classified as trustworthy. Only if the test steps according to the method according to the invention and/or its further embodiments are positively answered, a replaced or newly added electronic module Mk is functionally integrated into the field device FG.
  • the field device is also assigned its own key pair Q, q consisting of public key Q and private key q.
  • the field device FG can, if required, transmit the public key Q to one or more electronic modules Mk in order, for example, to determine secret knowledge between the field device FG and the electronic module Mk and to use this (or a derivation of it) as a symmetric key for encrypted communication (keyword: "Diffie-Hellman", exchange of public keys). It is also possible that not only the electronic module Mk has to identify itself to the field device FG, but also the field device FG to the electronic module Mk. If an electronic module Mk has stored a lot of sensitive (secret) data, for example, it may only be able to communicate this to one or only certain field devices FG. For this, each electronic module Mk would have to have a stored field device trust list in which the public keys of the field devices FGk classified as trustworthy are listed.
  • Fig.2 shows a flow chart describing the method according to the invention with different developments.
  • a new electronic module Mk e.g. Mod3new
  • a new module Mk e.g. the electronic module Mod4
  • a check is made as to whether the new electronic module Mk has a suitable key pair Pk, pk. If this is the case, a check is made under program point 30 as to whether the public key Pk of the replaced or added electronic module Mk. Mk is listed in the MTL list of public keys Pk. If the check is positive, a check is made at program point 40 as to whether the new electronic module Mk has the correct private key pk.
  • pk - which is determined at program point 30 - the field device FG or the unit U communicating with the field device FG requests the public key Pk of the replaced or added electronic module Mk and checks whether the public key Pk of the electronic module Mk is stored in the MTL list.
  • the check to see whether the electronic module Mk is in possession of the correct private key pk of the appropriate key pair Pk, pk is carried out using a challenge-response procedure.
  • any message m is sent to the replaced or added electronic module Mk, in particular from the field device FG, as a challenge, with the request to create a signature with the existing private key pk.
  • the electronic module Mk signs the message m with its private key pk and sends the signature back as a response.
  • the signature is used to check whether the electronic module Mk is in possession of the correct private key pk of the appropriate key pair Pk, pk. This is the case if the message m is the message m again after encryption and decryption.
  • the public key Pk is stored in the MTL list as soon as an authorized person has confirmed the trustworthiness of the electronic module Mk.
  • the electronic module Mk does not have a suitable key pair Pk, pk or if no suitable key pair Pk, pk can be generated for the electronic module Mk (program point 70), the electronic module Mk remains excluded from communication. If necessary, an error message is generated that the electronic module Mk does not have a suitable key pair Pk, pk (program point 90).
  • the method according to the invention makes it possible to reliably prove the correct identity of an electronic module Mk. Fake modules can be eliminated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Automation & Control Theory (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Description

Die Erfindung betrifft ein Verfahren zur Überprüfung der Authentizität von elektronischen Modulen eines modular aufgebauten Feldgeräts der Automatisierungstechnik.The invention relates to a method for checking the authenticity of electronic modules of a modular field device in automation technology.

In der Prozessautomatisierung ebenso wie in der Fertigungsautomatisierung werden vielfach Feldgeräte zur Erfassung und/oder Beeinflussung von physikalischen, chemischen oder biologischen Prozessgrößen eingesetzt. Zur Erfassung der Prozessgrößen dienen Messgeräte. Diese werden beispielsweise zur Druck- und Temperaturmessung, Leitfähigkeitsmessung, Durchflussmessung, pH-Messung, Füllstandmessung, etc. verwendet und erfassen die entsprechenden Prozessvariablen Druck, Temperatur, Leitfähigkeit, pH-Wert, Füllstand, Durchfluss etc. Zur Beeinflussung der Prozessgrößen werden Aktorsysteme verwendet. Beispiele für Aktoren sind Pumpen oder Ventile, die den Durchfluss einer Flüssigkeit in einem Rohr oder den Füllstand in einem Behälter beeinflussen können. Neben den zuvor genannten Messgeräten und Aktoren werden unter Feldgeräten auch Remote I/Os, Funkadapter bzw. allgemein Geräte verstanden, die auf der Feldebene angeordnet sind. Im Zusammenhang mit der Erfindung werden als Feldgeräte alle Geräte bezeichnet, die in der Nähe des Prozesses oder der Anlage eingesetzt werden und die prozess- oder anlagerelevante Informationen liefern oder verarbeiten.In process automation as well as in production automation, field devices are often used to record and/or influence physical, chemical or biological process variables. Measuring devices are used to record the process variables. These are used, for example, for pressure and temperature measurement, conductivity measurement, flow measurement, pH measurement, level measurement, etc. and record the corresponding process variables pressure, temperature, conductivity, pH value, level, flow, etc. Actuator systems are used to influence the process variables. Examples of actuators are pumps or valves that can influence the flow of a liquid in a pipe or the level in a container. In addition to the measuring devices and actuators mentioned above, field devices also include remote I/Os, radio adapters or general devices that are arranged at the field level. In connection with the invention, field devices are all devices that are used near the process or system and that provide or process process- or system-relevant information.

Entsprechende Feldgeräte bestehen üblicherweise aus einer Vielzahl von elektronischen Modulen, wie z.B. Steckmodulen mit Leiterkarten, Sensoren mit digitaler Anbindung, usw. Erfolgt der Austausch oder das Hinzufügen eines elektronischen Moduls, so wird heute nicht geprüft, ob das elektronische Modul authentisch ist. Aktuell wird ein elektronisches Modul üblicherweise visuell überprüft und nach positiver Sichtinspektion als authentisch hingenommen.Corresponding field devices usually consist of a large number of electronic modules, such as plug-in modules with circuit boards, sensors with digital connections, etc. If an electronic module is replaced or added, there is currently no check to see whether the electronic module is authentic. Currently, an electronic module is usually visually checked and accepted as authentic after a positive visual inspection.

Die zuvor beschriebene Vorgehensweise birgt ein beachtliches Sicherheitsrisiko: Da im Prinzip keine Möglichkeit besteht, ein wie auch immer geartetes ggf. manipuliertes elektronisches Modul zu erkennen, besteht die Gefahr, dass ein ggf. manipuliertes elektronisches Modul in einer Anlage der Automatisierungstechnik eingebaut wird. Erfüllt das elektronische Modul z.B. nicht die Anforderungen für den Einsatz in einem explosionsgefährdeten Bereich, kommt aber in einem solchen Bereich zum Einsatz, so kann dies durchaus lebensbedrohende Auswirkungen haben.The procedure described above poses a considerable safety risk: Since there is basically no way of detecting a possibly manipulated electronic module of any kind, there is a risk that a possibly manipulated electronic module will be installed in an automation system. If the electronic module does not meet the requirements for use in an area at risk of explosion, for example, but is used in such an area, this can have life-threatening consequences.

Die vorliegende Patentanmeldung beschreibt ein Verfahren zur Sicherstellung der Modul-Authentizität: Ist das Modul tatsächlich das Modul, das es vorgibt zu sein. Hier geht es primär darum, zu prüfen, ob ein bestimmtes Modul vorhanden ist, wobei hier die Identität gerprüft wird und baugleiche Module nicht automatisch akzeptiert werden. In einer parallel zu dieser Patentanmeldung eingereichten Patentanmeldung der Anmelderin wird die Hersteller-Authentizität geprüft, d.h. ob ein elektronisches Modul von einem Originalhersteller oder von einem vertrauenswürdigen Dritten bzw. einem Zulieferer stammt. Selbstverständlich könnten auch beide Verfahren gleichzeitig oder nacheinander zur Überprüfung eines elektronischen Moduls eingesetzt werden.The present patent application describes a method for ensuring module authenticity: Is the module really the module it claims to be? The primary aim here is to check whether a certain module is present, whereby the identity is checked and modules of the same construction are not automatically accepted. In a patent application filed by the applicant in parallel to this patent application, the manufacturer authenticity is checked, ie whether an electronic module comes from an original manufacturer or from a trustworthy third party or a supplier. Of course, both methods could also be used simultaneously or one after the other to check an electronic module.

Die EP 2 806 599 A1 offenbart ein Verfahen zum Hinzufügen eines drahtlosen Geräts in ein Drahtlosnetzwerk, wobei ein erstes und ein zweites Zertifikat sowie ein erster und ein zweiter öffetlicher Schlüsse verwendet werden.The EP 2 806 599 A1 discloses a method for adding a wireless device to a wireless network using first and second certificates and first and second public keys.

Die DE 10 2017 111928 A1 umfasst ein Verfahren zur autorisierten Aktualisierung einer ersten Betriebssoftware eines Feldgeräts, wobei eine Authentifizierungsprüfung einer zweiten, mittels eines ersten privaten, der Anlage zugeordneten, Schlüssels signierten Betriebssoftware für das Feldgerät, durchgeführt wird, wobei im Falle, dass die Authentifizierungsprüfung erfolgreich durchgeführt wurde, die auf dem Feldgerät befindliche erste Betriebssoftware zumindest teilweise durch die zweite Betriebssoftware ersetzt wird.The EN 10 2017 111928 A1 comprises a method for the authorized updating of a first operating software of a field device, wherein an authentication check of a second operating software for the field device, signed by means of a first private key assigned to the system, is carried out, wherein, in the event that the authentication check was carried out successfully, the first operating software located on the field device is at least partially replaced by the second operating software.

Die US 2004/00327 A1 offenbart ein Verfahren, in welchem ein Fahrzeug eine potentielle Komponente zur Verwendung in dem Fahrzeug authentifiziert, indem es von einer Zertifizierungsstelle eine Zertifizierung erhält, dass eine authentische Komponente mit einem kryptographischen Schlüssel verbunden ist. Die Zertifizierung bescheinigt, dass der kryptografische Schlüssel an Informationen gebunden ist, die die authentische Komponente identifizieren. Das Fahrzeug verwendet den von der Zertifizierungsstelle erhaltenen kryptografischen Schlüssel in der kryptografischen Kommunikation mit der potentiellen Komponente und bestimmt, ob die potentielle Komponente die authentische Komponente ist, basierend darauf, ob der kryptografische Schlüssel erfolgreich in der kryptografischen Kommunikation verwendet wird.The US 2004/00327 A1 discloses a method in which a vehicle authenticates a potential component for use in the vehicle by obtaining a certification from a certification authority that an authentic component is associated with a cryptographic key. The certification attests that the cryptographic key is bound to information identifying the authentic component. The vehicle uses the cryptographic key obtained from the certification authority in cryptographic communication with the potential component and determines whether the potential component is the authentic component based on whether the cryptographic key is successfully used in the cryptographic communication.

Der Erfindung liegt die Aufgabe zugrunde, eine nicht-authentisches elektronisches Modul automatisch zu erkennen.The invention is based on the object of automatically detecting a non-authentic electronic module.

Die Aufgabe wird durch ein Verfahren zur Überprüfung der Authentizität von elektronischen Modulen eines modular aufgebauten Feldgeräts der Automatisierungstechnik gemäß Patentanspruch 1 gelöst.The object is achieved by a method for checking the authenticity of electronic modules of a modular field device of automation technology according to patent claim 1.

Es wird also geprüft, ob jene Modul-Individuen vorhanden sind, die gemäß der Module Trust List vorhanden sein sollten. Wird ein elektronisches Modul ersetzt oder hinzugefügt, so wird dies mit dem erfindungsgemäßen Verfahren erkannt. Die Einbindung in den Betrieb wird verweigert, wenn das elektronische Modul seine Authentizität nicht nachweisen kann.It is therefore checked whether the individual modules are present that should be present according to the Module Trust List. If an electronic module is replaced or added, this is detected using the method according to the invention. Integration into the operation is refused if the electronic module cannot prove its authenticity.

Gemäß der Erfindung überprüft ein Feldgerät also, bevor es ein ausgetauschtes oder hinzugefügtes elektronisches Modul in die zum Betrieb des Feldgeräts erforderliche Kommunikation miteinbezieht, ob der Public Key des elektronischen Moduls in der Liste der als vertrauenswürdig gekennzeichneten elektronischen Module enthalten ist. Die Überprüfung der Authentizität eines elektronischen Moduls erfolgt üblicherweise während der Laufzeit des Feldgeräts.According to the invention, a field device checks whether the public key of the electronic module is included in the list of electronic modules marked as trustworthy before it includes a replaced or added electronic module in the communication required to operate the field device. The authenticity of an electronic module is usually checked during the runtime of the field device.

Das jedem elektronischen Modul zugeordnete Schlüsselpaar wird auch als kryptografische Identität des elektronischen Moduls bezeichnet. Prinzipiell bekannt sind die symmetrische Verschlüsselung und die asymmetrische Verschlüsselung. Während bei der symmetrischen Verschlüsselung Verschlüsselung und Entschlüsselung mit einem identischen Schlüssel erfolgen, geschieht dies bei der asymmetrischen Verschlüsselung mit zwei unterschiedlichen Schlüsseln.The key pair assigned to each electronic module is also referred to as the cryptographic identity of the electronic module. Symmetric encryption and asymmetric encryption are known in principle. While in symmetric encryption, encryption and decryption are carried out with an identical key, in asymmetric encryption this is done with two different keys.

Bei der asymmetrischen Kryptographie werden oftmals RSA-basierte Schlüsselpaare eingesetzt, die sich eventuell in der Schlüssellänge unterscheiden. Aktuell gelten RSA-Schlüssel der Länge 2048 Bit bereits als kritisch; wer mehr Sicherheit benötigt, verwendet Schlüssellängen von 3072 oder gar 4096 Bit. Die zunehmenden Schlüssellängen wirken sich allerdings nicht nur negativ auf den benötigten Speicherplatz aus, sondern es leidet auch die Performance - und zwar sowohl bei der asymmetrischen Ver- und Entschlüsselung als auch und vor allem bei der Schlüsselpaarerzeugung. Deutlich effizienter als die auf Primzahlkörpern basierenden RSA-Kryptosysteme sind solche, die elliptische Kurven verwenden. Dabei haben sich einige wenige EC (elliptic curves) etabliert. Eine davon ist die Curve25519.Asymmetric cryptography often uses RSA-based key pairs that may differ in key length. Currently, RSA keys with a length of 2048 bits are already considered critical; those who need more security use key lengths of 3072 or even 4096 bits. However, the increasing key lengths not only have a negative impact on the storage space required, but also also the performance - both in asymmetric encryption and decryption and, above all, in key pair generation. Significantly more efficient than the RSA cryptosystems based on prime number fields are those that use elliptic curves. A few EC (elliptic curves) have become established. One of them is Curve25519.

Bevorzugt wird in Verbindung mit der Erfindung ein asymmetrisches Schlüsselpaar verwendet. Die asymmetrischen Verschlüsselungsverfahren gelten als sehr sicher, da zwei Schlüssel zum Einsatz kommen, die nicht auseinander ableitbar sind: Ein öffentlicher Schlüssel (Public Key) für die Verschlüsselung und ein privater Schlüssel (Private Key) für die Entschlüsselung oder umgekehrt. Der private Schlüssel bleibt stets beim Erzeuger des Schlüssels. Entweder wird also mit dem privaten Schlüssel verschlüsselt und mit dem öffentlichen Schlüssel entschlüsselt oder umgekehrt.Preferably, an asymmetric key pair is used in conjunction with the invention. The asymmetric encryption methods are considered to be very secure because two keys are used that cannot be derived from one another: a public key for encryption and a private key for decryption, or vice versa. The private key always remains with the creator of the key. So either the private key is used for encryption and the public key is used for decryption, or vice versa.

Weiterhin wird der folgende Verfahrensschritt vorgeschlagen:
Zwecks Überprüfung, ob das elektronische Modul im Besitz des Public Key des geeigneten Schlüsselpaares ist, fordert das Feldgerät oder die mit dem Feldgerät kommunizierenden Einheit den Public Key des ausgetauschten oder hinzugefügten elektronischen Moduls an und überprüft, ob der Public Key des elektronischen Moduls in der Liste der als vertrauenswürdig eingestuften Public Keys gespeichert ist.
Furthermore, the following procedural step is proposed:
To check whether the electronic module is in possession of the public key of the appropriate key pair, the field device or the unit communicating with the field device requests the public key of the replaced or added electronic module and checks whether the public key of the electronic module is stored in the list of public keys classified as trusted.

Darüber hinaus erfolgt der Test, ob das elektronische Modul im Besitz des Private Key des geeigneten Schlüsselpaares ist. Für diesen Test wird erfindungsgemäß ein Challenge-Response-Verfahren angewendet. Der Umstand, dass ein elektronisches Modul einen vertrauenswürdigen Public Key liefert, beweist noch nicht, dass dieser auch der zu diesem elektronischen Modul gehörige Public Key ist. Schließlich könnte es sich auch um ein Fake-Modul handeln, welches einen sich unrechtmäßig beschafften Public Key verwendet. Daher muss geprüft werden, ob dieses elektronische Modul authentisch ist, d.h. ob der gelieferte Public Key auch tatsächlich diesem elektronischen Modul gehört, ob das elektronische Modul den ihm zugehörigen korrekten Public Key geliefert hat und ob es dies auch beweisen kann. Für diesen Nachweis wird - wie gesagt - bevorzugt das Challenge-Response-Verfahren genutzt.In addition, a test is carried out to determine whether the electronic module is in possession of the private key of the appropriate key pair. According to the invention, a challenge-response procedure is used for this test. The fact that an electronic module delivers a trustworthy public key does not prove that this is also the public key belonging to this electronic module. After all, it could also be a fake module that uses an illegally obtained public key. It must therefore be checked whether this electronic module is authentic, i.e. whether the public key supplied actually belongs to this electronic module, whether the electronic module has supplied the correct public key associated with it and whether it can prove this. As mentioned, the challenge-response procedure is preferably used for this proof.

Hierzu sendet das Feldgerät bzw. eine elektronische Komponente eine beliebige Nachricht an das ausgetauschte oder hinzugefügte elektronische Modul mit der Bitte um Signaturerstellung ("challenge"). Das Modul signiert diese Nachricht und sendet die Signatur ("response") an das Feldgerät bzw. an das anfragende elektronische Modul zurück. Das Feldgerät bzw. das anfragende elektronische Modul kann nun anhand der Signatur prüfen, ob das elektronische Modul im Besitz des korrekten Private Keys ist.To do this, the field device or an electronic component sends any message to the replaced or added electronic module requesting the creation of a signature ("challenge"). The module signs this message and sends the signature ("response") back to the field device or the requesting electronic module. The field device or the requesting electronic module can now use the signature to check whether the electronic module is in possession of the correct private key.

Die Erstellung der Signatur erfolgt beispielhaft folgendermaßen: Das Modul k wendet auf die Nachricht m ein Hashverfahren an und verschlüsselt den erhaltenen Hashwert mit seinem Private Key. Das Feldgerät entschlüsselt die erhaltene Signatur mit dem Public Key des Moduls und vergleicht dies mit einem selbst berechneten Hashwert der gesendeten Nachricht. Im Idealfall sind beide Hashwerte identisch, was beweist, dass a) das Modul die Wahrheit gesagt hat, da es den korrekten Public Key gesendet hat und b) dass es dies auch beweisen kann, da es den zugehörigen Private Key besitzt. Mit der Erbringung dieses Nachweises gilt das ausgetauschte oder hinzugefügte elektronische Modul als authentisch. Zur Signaturerstellung sind darüber hinasu auch spezielle Algorithmen (DSA ECDSA, etc.) bekannt geworden, die letztlich aber ebenfalls mit einem asymmetrischen Schlüsselpaar arbeiten.The signature is created as follows: Module k applies a hash procedure to message m and encrypts the received hash value with its private key. The field device decrypts the received signature with the module's public key and compares this with a self-calculated hash value of the sent message. Ideally, both hash values are identical, which proves that a) the module told the truth because it sent the correct public key and b) that it can also prove this because it has the associated private key. By providing this proof, the replaced or added electronic module is considered authentic. Special algorithms (DSA ECDSA, etc.) have also become known for creating signatures, but these ultimately also work with an asymmetric key pair.

Hat ein elektronisches Modul nun kein geeignetes Schlüsselpaar oder nur eines, welches auf einer anderen Kurve oder auf einem anderen Kryptosystem basiert, so kann es an dem Challenge Response Verfahren nicht teilnehmen. Abhilfe ist möglich, wenn dieses elektronische Modul über einen Generator verfügt, mit Hilfe dessen ein solches geeignetes Schlüsselpaar erzeugt werden kann; alternativ muss es über eine entsprechende Schnittstelle und einen Schlüsselspeicher verfügen, so dass ggf. ein extern erzeugtes Schlüsselpaar in das elektronische Modul nachträglich eingeschrieben werden kann. In beiden Fällen muss das Modul aber die passendenden / zugehörigen Operationen, z.B. das Verschlüsseln mit dem private Key, beherrschen.If an electronic module does not have a suitable key pair or only has one that is based on a different curve or on a different cryptosystem, it cannot participate in the challenge response process. This can be remedied if this electronic module has a generator that can be used to generate such a suitable key pair; alternatively, it must have a corresponding interface and a key memory so that an externally generated key pair can be subsequently written into the electronic module if necessary. In both cases, however, the module must be able to perform the appropriate/related operations, e.g. encryption with the private key.

Zusammengefasst wird dem ausgetauschten oder hinzugefügten elektronischen Modul - insbesondere vom Feldgerät - eine beliebige Nachricht als Challenge gesendet mit der Bitte um Signaturerstellung mit dem Private Key. Das elektronische Modul signiert die Nachricht mit seinem Private Key und sendet die Signatur als Response zurück. Anhand der Signatur wird überprüft, ob das elektronische Modul im Besitz des Private Key des geeigneten Schlüsselpaares ist. Jedes Schlüsselpaar, im Sinne einer asymmetrischen Kryptographie, ist als geeignet anzusehen. Gebräuchlich sind RSA- oder EC-basierte Schlüsselpaare. Ein Schlüsselpaar ist ein Werkzeug. Ein solches Schlüsselpaar wird nun von dem Feldgerät verwendet, um die Authentizität des elektronischen Moduls festzustellen.In summary, the replaced or added electronic module - especially from the field device - is sent a random message as a challenge with the request to create a signature with the private key. The electronic module signs the message with its private key and sends the signature back as a response. The signature is used to check whether the electronic module is in possession of the private key of the appropriate key pair. Any key pair, in the sense of asymmetric cryptography, is considered suitable. RSA or EC-based key pairs are common. A key pair is a tool. Such a key pair is then used by the field device to determine the authenticity of the electronic module.

"Geeignet" kann im konkreten Fall noch eingeschränkt werden: Sowohl das Feldgerät also auch das elektronische Modul müssen die jeweiligen Operationen (Verschlüsseln, Entschlüsseln) mit dem Schlüsselpaar beherrschen. Kann das Feldgerät z.B. nur EC und das Modul nur RSA, dann funktioniert die Erfindung nicht. Kann das elektronische Modul überhaupt keine asymmetrische Kryptographie, dann existiert auch kein geeignetes Schlüsselpaar."Suitable" can be restricted in a specific case: Both the field device and the electronic module must be able to perform the respective operations (encryption, decryption) with the key pair. If the field device can only do EC and the module can only do RSA, for example, then the invention will not work. If the electronic module cannot do asymmetric cryptography at all, then no suitable key pair exists.

Nachfolgend werden einige Spezialfälle beschrieben: Ergibt die Überprüfung, dass das ausgetauschte oder hinzugefügte elektronische Modul kein Schlüsselpaar aufweist, so wird überprüft, ob ein Schlüsselpaar für das elektronische Modul erzeugt oder bereitgestellt werden kann,
wobei in dem Fall, dass das Schlüsselpaar von einem weiteren elektronischen Modul bereitgestellt bzw. erzeugt wird, das Schlüsselpaar an das ausgetauschte oder hinzugefügte elektronische Modul übergeben wird.
Some special cases are described below: If the check shows that the replaced or added electronic module does not have a key pair, a check is carried out to see whether a key pair can be generated or provided for the electronic module,
In the event that the key pair is provided or generated by another electronic module, the key pair is passed on to the replaced or added electronic module.

Weiterhin wird im Zusammenhang mit der Erfindung vorgeschlagen, dass ein ausgetauschtes oder hinzugefügtes elektronische Modul, das kein geeignetes Schlüsselpaar besitzt oder für das kein geeignetes Schlüsselpaar erzeugt werden kann, von der Kommunikation ausgeschlossen bleibt.Furthermore, in connection with the invention, it is proposed that a replaced or added electronic module which does not have a suitable key pair or for which no suitable key pair can be generated remains excluded from communication.

Erfindungsgemäß wird, im Falle, dass die Überprüfung ergibt, dass das ausgetauschte oder hinzugefügte elektronische Modul ein Schlüsselpaar besitzt, dass der Public Key des Schlüsselpaares aber nicht in der Liste gespeichert ist, obwohl das elektronische Modul authentisch zu sein scheint, der Public Key des erzeugten Schlüsselpaars der Liste der als vertrauenswürdig eingestuften elektronischen Module zugeordnet, sobald eine autorisierte Person die Vertrauenswürdigkeit des elektronischen Moduls bestätigt hat.According to the invention, if the verification shows that the replaced or added electronic module has a key pair, but that the public key of the key pair is not stored in the list, although the electronic module appears to be authentic, the public key of the generated key pair is assigned to the list of electronic modules classified as trustworthy as soon as an authorized person has confirmed the trustworthiness of the electronic module.

Auch in dem Fall, dass für das elektronische Modul ein geeignetes Schlüsselpaar erzeugt werden kann, wird der Public Key des Schlüsselpaares in der Liste der als vertrauenswürdig eingestuften elektronischen Module gespeichert, wenn eine autorisierte Person die Vertrauenswürdigkeit des elektronischen Moduls bestätigt. So kann die Liste größer werden und die Publik Keys mehrerer elektronischer Module enthalten. Natürlich ist es sinnvoll, bei Modultausch, den Public Key des ausgetauschten Moduls aus der Module Trust List zu entfernen.Even if a suitable key pair can be generated for the electronic module, the public key of the key pair is stored in the list of electronic modules classified as trustworthy if an authorized Person confirms the trustworthiness of the electronic module. This allows the list to grow and contain the public keys of several electronic modules. Of course, when replacing modules, it is a good idea to remove the public key of the replaced module from the Module Trust List.

Hat ein elektronisches Modul kein geeignetes Schlüsselpaar oder nur eines, welches auf einer anderen Kurve oder auf einem anderen Kryptosystem basiert, so kann es an dem Challenge Response Verfahren nicht teilnehmen. Um ein geeignetes Schlüsselpaar zu erzeugen, ist es erforderlich, dass dieses elektronische Modul über einen Generator verfügt, mit Hilfe dessen ein solches (geeignetes) Schlüsselpaar erzeugt werden kann, oder aber es muss über ein Interface und einen Schlüsselspeicher verfügen, so dass ein extern erzeugtes Schlüsselpaar in das elektronische Modul eingeschrieben werden kann. In beiden Fällen muss das elektronische Modul aber die passendenden / zugehörigen Voraussetzungen und Operationen (z.B. Verschlüsseln mit dem Private Key) beherrschen.If an electronic module does not have a suitable key pair or only has one that is based on a different curve or on a different cryptosystem, it cannot participate in the challenge-response process. In order to generate a suitable key pair, this electronic module must have a generator with which such a (suitable) key pair can be generated, or it must have an interface and a key memory so that an externally generated key pair can be written into the electronic module. In both cases, however, the electronic module must master the appropriate / associated requirements and operations (e.g. encryption with the private key).

Es ist vorgesehen, dass die elektronischen Module vom Original-Hersteller oder einem vom Original-Hersteller autorisierten Dritten während des Produktionsprozesses oder bei einem Service-Einsatz mit jeweils einem geeigneten Schlüsselpaar versehen werden; weiterhin wird der Public Key des geeigneten Schlüsselpaare zu dem entsprechenden Zeitpunkt in der Liste der als vertrauenswürdig eingestuften elektronischen Module gespeichert. Bei der Produktion oder später durch Modultausch oder Modulergänzung wird dem Feldgerät durch eine vertrauenswürdige Person mitgeteilt, dass das getauschte oder hinzugefügte elektronische Modul als vertrauenswürdig zu betrachten ist. Dabei übernimmt das Feldgerät den Public Key des elektronischen Moduls in seine Module Trust List MTL.It is intended that the electronic modules are each provided with a suitable key pair by the original manufacturer or a third party authorized by the original manufacturer during the production process or during a service call; furthermore, the public key of the suitable key pair is stored at the corresponding time in the list of electronic modules classified as trustworthy. During production or later when modules are exchanged or added, the field device is informed by a trusted person that the exchanged or added electronic module is to be considered trustworthy. The field device then transfers the public key of the electronic module to its Module Trust List MTL.

Beim Austausch eines elektronischen Moduls wird der Public Key des ersetzten elektronischen Moduls aus der Liste der als vertrauenswürdig eingestuften elektronischen Module gelöscht.When an electronic module is replaced, the public key of the replaced electronic module is deleted from the list of electronic modules classified as trusted.

Wie bereits zuvor erwähnt, kann die Überprüfung bzw. der Test, ob das elektronische Modul authentisch ist, während des laufenden Betriebs des Feldgeräts durchgeführt.As mentioned previously, the verification or test of whether the electronic module is authentic can be carried out while the field device is in operation.

Erwähnt wurde ebenfalls bereits, dass in Verbindung mit der Erfindung anstelle des Public Key des elektronischen Moduls eine Ableitung, z.B. ein Hashwert, oder eine anderweitige unabhängige und eindeutige Identifikation verwendet werden kann.It has also already been mentioned that in connection with the invention, a derivation, e.g. a hash value, or another independent and unique identification can be used instead of the public key of the electronic module.

Die Erfindung wird anhand der nachfolgenden Figuren näher erläutert. Es zeigt:

  • Fig. 1: eine schematische Darstellung eines Feldgeräts mit mehreren elektronischen Modulen, das zur Durchführung des erfindungsgemäßen Verfahrens geeignet ist, und
  • Fig. 2: ein Flussdiagramm, das das erfindungsgemäße Verfahren mit unterschiedlichen Weiterbildungen beschreibt.
The invention is explained in more detail with reference to the following figures. It shows:
  • Fig.1 : a schematic representation of a field device with several electronic modules, which is suitable for carrying out the method according to the invention, and
  • Fig.2 : a flow chart describing the method according to the invention with different further developments.

Fig. 1 zeigt eine schematische Darstellung eines Feldgeräts FG mit mehreren elektronischen Modulen Mk, das zur Durchführung des erfindungsgemäßen Verfahrens geeignet ist. Das Feldgerät FG weist im dargestellten Fall drei elektronische Module Mk mit k = 1, 2, 3 auf. Jedem elektronischen Modul Mk des Feldgeräts FG ist ein geeignetes Schlüsselpaar Pk, pk mit k = 1, 2, 3 zugeordnet. Dieses geeignete Schlüsselpaar Pk, pk ist Voraussetzung dafür, dass das zugehörige elektronische Modul Mk seine Authentizität bestätigen kann. Jedes Schlüsselpaar Pk, pk besteht aus einem Public Key Pk und einem Private Key pk. Weiterhin sind die Public Keys Pk der geeigneten Schlüsselpaare Pk, pk in einer Liste MTL gespeichert, wobei die Liste MTL dem Feldgerät FG oder einer mit dem Feldgerät FG kommunizierenden Einheit U zugeordnet ist. MTL ist die Abkürzung für Module Trust List. Die Liste enthält die Public Keys Pk der als vertrauenswürdig eingestuften elektronischen Module Mk. Nur wenn die Prüfungsschritte entsprechend dem erfindungsgemäßen Verfahren und/oder seiner weiteren Ausgestaltungen positiv beschieden werden, wird ein ausgetauschtes oder neu hinzugefügtes elektronisches Modul Mk funktionstüchtig in das Feldgerät FG eingebunden. Fig.1 shows a schematic representation of a field device FG with several electronic modules Mk, which is suitable for carrying out the method according to the invention. In the case shown, the field device FG has three electronic modules Mk with k = 1, 2, 3. Each electronic module Mk of the field device FG is assigned a suitable key pair Pk, pk with k = 1, 2, 3. This suitable key pair Pk, pk is a prerequisite for the associated electronic module Mk to be able to confirm its authenticity. Each key pair Pk, pk consists of a public key Pk and a private key pk. Furthermore, the public keys Pk of the suitable key pairs Pk, pk are stored in a list MTL, whereby the MTL list is assigned to the field device FG or to a unit U communicating with the field device FG. MTL is the abbreviation for Module Trust List. The list contains the public keys Pk of the electronic modules Mk classified as trustworthy. Only if the test steps according to the method according to the invention and/or its further embodiments are positively answered, a replaced or newly added electronic module Mk is functionally integrated into the field device FG.

Auch dem Feldgerät ist ein eigenes Schlüsselpaar Q, q bestehend aus Public Key Q und Private Key q zugeordnet. Das Feldgerät FG kann bei Bedarf den Public Key Q an ein oder mehrere elektronischen Module Mk übermitteln, um z.B. ein geheimes Wissen zwischen Feldgerät FG und elektronischem Modul Mk zu ermitteln und dieses (oder eine Ableitung davon) als symmetrischen Schlüssel für eine verschlüsselte Kommunikation zu verwenden (Stichwort: "Diffie-Hellman", Austausch der Public Keys). Möglich ist es auch, dass sich nicht nur das elektronische Modul Mk gegenüber dem Feldgerät FG ausweisen muss, sondern auch das Feldgerät FG gegenüber dem elektronischen Modul Mk. Hat ein elektronisches Modul Mk z.B. viele sensible (geheime) Daten gespeichert, so soll es diese möglicherweise nur einem oder nur bestimmten Feldgeräten FG mitteilen können. Hierzu müsste jedes elektronische Modul Mk über eine gespeicherte Field Device Trust List verfügen, in der die Public Keys der als vertrauenswürdig eingestuften Feldgeräte FGk gelistet sind.The field device is also assigned its own key pair Q, q consisting of public key Q and private key q. The field device FG can, if required, transmit the public key Q to one or more electronic modules Mk in order, for example, to determine secret knowledge between the field device FG and the electronic module Mk and to use this (or a derivation of it) as a symmetric key for encrypted communication (keyword: "Diffie-Hellman", exchange of public keys). It is also possible that not only the electronic module Mk has to identify itself to the field device FG, but also the field device FG to the electronic module Mk. If an electronic module Mk has stored a lot of sensitive (secret) data, for example, it may only be able to communicate this to one or only certain field devices FG. For this, each electronic module Mk would have to have a stored field device trust list in which the public keys of the field devices FGk classified as trustworthy are listed.

Fig. 2 zeigt ein Flussdiagramm, das das erfindungsgemäße Verfahren mit unterschiedlichen Weiterbildungen beschreibt. Fig.2 shows a flow chart describing the method according to the invention with different developments.

Unter dem Programmpunkt 10 wird ein neues elektronisches Modul Mk, z.B. Mod3neu, anstelle z.B. des elektronischen Moduls Mod3 eingesteckt; alternativ wird ein neues Modul Mk, z.B. das elektronische Modul Mod4, neu hinzugefügt. Unter dem Programmpunkt 20 wird überprüft, ob das neue elektronische Modul Mk über ein geeignetes Schlüsselpaar Pk, pk verfügt. Ist dies der Fall, so wird unter dem Programmpunkt 30 geprüft, ob der Public Key Pk des ausgetauschten oder hinzugefügten elektronischen Moduls Mk. Mk in der Liste MTL der Public Keys Pk aufgeführt ist. Ist die Prüfung positiv, wird bei Programmpunkt 40 gecheckt, ob das neue elektronische Modul Mk im Besitz des korrekten Private Key pk ist. Ist diese Überprüfung positiv, so wird eine die Funktionalität des Feldgeräts FG betreffende Kommunikation oder Interaktion des ausgetauschten oder hinzugefügten elektronischen Moduls Mk mit dem Feldgerät FG oder einem anderweitigen elektronischen Modul Mk des Feldgeräts FG zugelassen. Die Überprüfung wird bei Programmpunkt 60 beendet. Möglich ist es auch, dass die Überprüfung von einer separaten Einheit ausgeführt wird. Diese ist in der Fig.2 nicht gesondert dargestellt.Under program point 10, a new electronic module Mk, e.g. Mod3new, is plugged in instead of, for example, the electronic module Mod3; alternatively, a new module Mk, e.g. the electronic module Mod4, is added. Under program point 20, a check is made as to whether the new electronic module Mk has a suitable key pair Pk, pk. If this is the case, a check is made under program point 30 as to whether the public key Pk of the replaced or added electronic module Mk. Mk is listed in the MTL list of public keys Pk. If the check is positive, a check is made at program point 40 as to whether the new electronic module Mk has the correct private key pk. If this check is positive, communication or interaction between the replaced or added electronic module Mk and the field device FG or another electronic module Mk of the field device FG relating to the functionality of the field device FG is permitted. The check ends at program point 60. It is also possible that the check is carried out by a separate unit. This is in the Fig.2 not shown separately.

Zwecks Überprüfung, ob das elektronische Modul Mk im Besitz des Public Key Pk des geeigneten Schlüsselpaares Pk, pk ist - was bei Programmpunkt 30 festgestellt wird - fordert das Feldgerät FG oder die mit dem Feldgerät FG kommunizierenden Einheit U den Public Key Pk des ausgetauschten oder hinzugefügten elektronischen Moduls Mk an und überprüft, ob der Public Key Pk des elektronischen Moduls Mk in der Liste MTL gespeichert ist.In order to check whether the electronic module Mk is in possession of the public key Pk of the appropriate key pair Pk, pk - which is determined at program point 30 - the field device FG or the unit U communicating with the field device FG requests the public key Pk of the replaced or added electronic module Mk and checks whether the public key Pk of the electronic module Mk is stored in the MTL list.

Die Überprüfung, ob das elektronische Modul Mk auch im Besitz des korrekten Private Key pk des geeigneten Schlüsselpaares Pk, pk ist (Programmpunkt 40), erfolgt über ein Challenge-Response-Verfahren. Hierzu wird dem ausgetauschten oder hinzugefügten elektronischen Modul Mk insbesondere vom Feldgerät FG eine beliebige Nachricht m als Challenge gesendet mit der Bitte um Signaturerstellung mit dem vorhandenen Private Key pk. Das elektronische Modul Mk signiert die Nachricht m mit seinem Private Key pk und sendet die Signatur als Response zurück. Anhand der Signatur wird überprüft, ob das elektronische Modul Mk im Besitz des korrekten Private Key pk des geeigneten Schlüsselpaares Pk, pk ist. Dies ist der Fall, wenn die Nachricht m nach Ver- und Entschlüsselung wieder die Nachricht m ist.The check to see whether the electronic module Mk is in possession of the correct private key pk of the appropriate key pair Pk, pk (program point 40) is carried out using a challenge-response procedure. For this purpose, any message m is sent to the replaced or added electronic module Mk, in particular from the field device FG, as a challenge, with the request to create a signature with the existing private key pk. The electronic module Mk signs the message m with its private key pk and sends the signature back as a response. The signature is used to check whether the electronic module Mk is in possession of the correct private key pk of the appropriate key pair Pk, pk. This is the case if the message m is the message m again after encryption and decryption.

Schauen wir uns an, was passiert, wenn die Überprüfungen unter einem der den Programmpunkte 20, 30 oder 40 ein negatives Ergebnis liefern.Let's look at what happens if the checks under one of the program points 20, 30 or 40 produce a negative result.

Ergibt die Überprüfung unter Programmpunkt 20, dass das elektronische Modul Mk über kein geeignetes Schlüsselpaar Pk, pk verfügt, so wird überprüft, ob ein Schlüsselpaar Pk, pk für das elektronische Modul Mk erzeugt oder bereitgestellt werden kann (Programmpunkt 70). In dem Fall, dass das Schlüsselpaar Pk, pk von dem Feldgerät FG oder einem weiteren elektronischen Modul Mk bereitgestellt bzw. erzeugt werden kann (Programmpunkt 80), wird das Schlüsselpaar Pk, pk an das ausgetauschte oder hinzugefügte elektronische Modul Mk übergeben. Möglich ist auch, dass das ausgetauschte oder hinzugefügte Modul Mk selbst ein geeignetes Schlüsselpaar Pk, pk erzeugt. Hierzu muss es über geeignete technische Voraussetzungen verfügen. Eine Speicherung des Public Keys Pk in der Liste MTL erfolgt, sobald eine autorisierte Person die Vertrauenswürdigkeit des elektronischen Moduls Mk bestätigt hat.If the check under program point 20 shows that the electronic module Mk does not have a suitable key pair Pk, pk, a check is carried out to see whether a key pair Pk, pk can be generated or provided for the electronic module Mk (Program point 70). If the key pair Pk, pk can be provided or generated by the field device FG or another electronic module Mk (program point 80), the key pair Pk, pk is passed on to the replaced or added electronic module Mk. It is also possible that the replaced or added module Mk generates a suitable key pair Pk, pk itself. To do this, it must have the appropriate technical requirements. The public key Pk is stored in the MTL list as soon as an authorized person has confirmed the trustworthiness of the electronic module Mk.

Für den Fall, dass das elektronische Modul Mk kein geeignetes Schlüsselpaar Pk, pk besitzt oder dass kein geeignetes Schlüsselpaar Pk, pk für das elektronische Modul Mk erzeugt werden kann (Programmpunkt 70), bleibt das elektronische Modul Mk von der Kommunikation ausgeschlossen. Ggf. wird eine Fehlermeldung generiert, dass das elektronische Modul Mk kein geeignetes Schlüsselpaar Pk, pk besitzt (Programmpunkt 90).If the electronic module Mk does not have a suitable key pair Pk, pk or if no suitable key pair Pk, pk can be generated for the electronic module Mk (program point 70), the electronic module Mk remains excluded from communication. If necessary, an error message is generated that the electronic module Mk does not have a suitable key pair Pk, pk (program point 90).

Falls der Public Key Pk des ausgetauschten oder hinzugefügten Moduls Mk nicht in der Liste MTL enthalten ist (Programmpunkt 30) und ein autorisierter Nutzer die Vertrauenswürdigkeit des elektronischen Moduls Mk nicht bestätigt, wird eine Fehlermeldung ausgegeben, dass das elektronische Modul Mk nicht vertrauenswürdig ist (Programmpunkt 120). Das Feldgerät FG bindet das ausgetauschte oder hinzugefügte Modul nicht in die Kommunikation ein.If the public key Pk of the replaced or added module Mk is not included in the MTL list (program point 30) and an authorized user does not confirm the trustworthiness of the electronic module Mk, an error message is issued that the electronic module Mk is not trustworthy (program point 120). The field device FG does not integrate the replaced or added module into the communication.

Ergibt der Challenge Response Test unter Programmpunkt 40, dass das elektronische Modul nicht im Besitz des korrekten Private Key pk ist, so wird unter dem Programmpunkt 130 eine Fehlermeldung generiert, dass das elektronische Modul Mk nicht authentisch ist.If the challenge response test under program point 40 shows that the electronic module does not have the correct private key pk, an error message is generated under program point 130 stating that the electronic module Mk is not authentic.

Durch das erfindungsgemäße Verfahren ist es möglich, die korrekte Identität eines elektronischen Moduls Mk sicher nachzuweisen. Fake-Module können ausgesondert werden.The method according to the invention makes it possible to reliably prove the correct identity of an electronic module Mk. Fake modules can be eliminated.

Claims (10)

  1. Method for checking the authenticity of electronic modules (Mk) of a modular field device (FG) in automation technology
    where each electronic module (Mk with k = 1, 2, ... n) of the field device (FG) has a suitable key pair (Pk, pk with k = 1, 2....n) is assigned, which confirms the identity of the electronic module (Mk), wherein each key pair (Pk, pk) consists of a public key (Pk) and a private key (pk), and wherein the public keys (Pk) of the suitable key pairs (Pk, pk) are stored in a list (MTL), wherein
    the list (MTL) to the field device (FG) or one with the field device (FG) communicating unit (U), the method comprising the following method steps:
    - When replacing or adding an electronic module (Mk), the field device (FG) or the unit (U) communicating with the field device (FG)
    checked:
    - whether the replaced or added electronic module (Mk) has a key pair (Pk, pk), and
    - whether the public key (Pk) of the replaced or added electronic module is included in the list (MTL) of public keys (Pk),
    - whether the electronic module (Mk) is in possession of the correct private key(pk), whereby a challenge-response procedure is used to test whether the electronic module (Mk) is in possession of the private key (pk) of the suitable key pair (Pk, pk),
    - a communication or interaction of the field device concerning the functionality of the replaced or added electronic module (Mk) with the field device (FG) or another electronic module (Mk) is permitted if the check is completed with a positive result,
    - If the check shows that the replaced or added electronic module (Mk) does not have a key pair (Pk, pk), the system checks whether a key pair (Pk, pk) can be generated or provided for the electronic module (Mk), wherein, in the event that the key pair (Pk, pk) is provided or generated by a further electronic module (Mk), the key pair (Pk, pk) is transferred to the replaced or added electronic module (Mk).
  2. Method according to claim 1 with the following process step:
    In order to check whether the electronic module (Mk) is in possession of the public key (Pk) of the suitable key pair (Pk, pk), the field device (FG) or the unit (U) communicating with the field device (FG) requests the public key (Pk) of the replaced or added electronic module (Mk) and checks whether the public key (Pk) is in the possession of the suitable key pair (Pk, pk).
    of the electronic module (Mk) is stored in the list (MTL).
  3. Method according to claim 1 with the following method steps:
    In particular, the field device (FG) sends any message (m) as a challenge to the replaced or added electronic module (Mk) with the request for
    Signature creation with the private key (pk),
    the electronic module (Mk) signs the message (m) with its private key (pk) and sends the signature back as a response,
    The signature is used to check whether the electronic module (Mk) is in possession of the private key (pk) of the appropriate key pair (Pk, pk).
  4. Method according to claim 1 with the following method step:
    In the event that the electronic module (Mk) does not have a suitable key pair (Pk, pk) or that no suitable key pair (Pk, pk) can be generated for the electronic module (Mk), the electronic module (Mk) remains excluded from communication. excluded.
  5. Method according to one or more of the preceding claims, comprising the following method steps:
    If the check shows that the replaced or added electronic module (Mk) has a key pair (Pk, pk), but that the public key (Pk) of the key pair (Pk, pk) is not stored in the list (MTL), the public key (Pk) of the generated key pair (Pk, pk) is assigned to the list (MTL) if an authorized person (A) confirms the trustworthiness of the electronic module (Mk).
  6. Method according to claim 1 with the following process steps:
    in the event that a suitable key pair (Pk, pk) can be generated for the electronic module (Mk), the public key (Pk) of the key pair (Pk, pk) is stored in the list (MTL) if an authorized person (A) confirms the trustworthiness of the electronic module (Mk).
  7. Method according to one or more of the preceding claims, comprising the following method steps:
    - the electronic modules (Mk) are manufactured by the original manufacturer or a third party authorized by the original manufacturer during the production process or in the case of Each service insert is provided with a suitable key pair (Pk, pk), and
    and the public keys (Pk) of the suitable key pairs (Pk, pk) are stored in the list (MTL).
  8. Method according to one or more of the preceding claims, comprising the following method step:
    When an electronic module (Mk) is replaced, the public key (Pk) of the replaced electronic module (Mk) is deleted from the list (MTL).
  9. Method according to one or more of the preceding claims, comprising the following method step:
    The inspection and test are carried out while the field device (FG) is in operation.
  10. Method according to one or more of the preceding claims, comprising the following method step:
    Instead of the public key (Pk) of the electronic module (Mk), a derivation, e.g. a hash value, or another independent and unique identification is used.
EP21164325.9A 2020-04-22 2021-03-23 Method for verifying the authenticity of electronic modules of a modular field device of automation technology Active EP3901714B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
DE102020111019.7A DE102020111019A1 (en) 2020-04-22 2020-04-22 Method for checking the authenticity of electronic modules of a modular field device in automation technology

Publications (2)

Publication Number Publication Date
EP3901714A1 EP3901714A1 (en) 2021-10-27
EP3901714B1 true EP3901714B1 (en) 2024-07-17

Family

ID=75203018

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21164325.9A Active EP3901714B1 (en) 2020-04-22 2021-03-23 Method for verifying the authenticity of electronic modules of a modular field device of automation technology

Country Status (4)

Country Link
US (1) US20210336783A1 (en)
EP (1) EP3901714B1 (en)
CN (1) CN113536399B (en)
DE (1) DE102020111019A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102022133826A1 (en) * 2022-12-19 2024-06-20 Endress+Hauser SE+Co. KG Method and system for mutual checking of the integrity of a large number of field devices in automation technology

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7010682B2 (en) * 2002-06-28 2006-03-07 Motorola, Inc. Method and system for vehicle authentication of a component
US20050289343A1 (en) 2004-06-23 2005-12-29 Sun Microsystems, Inc. Systems and methods for binding a hardware component and a platform
EP2792104B1 (en) * 2011-12-21 2021-06-30 SSH Communications Security Oyj Automated access, key, certificate, and credential management
JP5929834B2 (en) * 2013-05-24 2016-06-08 横河電機株式会社 Information setting method and wireless communication system
DE102017111928A1 (en) * 2017-05-31 2018-12-06 Endress+Hauser Conducta Gmbh+Co. Kg Method for authorized updating of a field device of automation technology
CN107786550B (en) * 2017-10-17 2019-11-05 中电长城(长沙)信息技术有限公司 A kind of safety communicating method of self-service device, safe communication system and self-service device
CN109361669B (en) * 2018-10-19 2022-03-18 深圳数粉科技有限公司 Identity authentication method, device and equipment of communication equipment
CN109981637B (en) * 2019-03-21 2021-07-16 浙江工商大学 A blockchain-based multi-source cross-composite authentication method for IoT
CN110808991B (en) * 2019-11-08 2020-10-09 北京金茂绿建科技有限公司 Method, system, electronic device and storage medium for secure communication connection

Also Published As

Publication number Publication date
CN113536399B (en) 2025-06-10
US20210336783A1 (en) 2021-10-28
DE102020111019A1 (en) 2021-10-28
CN113536399A (en) 2021-10-22
EP3901714A1 (en) 2021-10-27

Similar Documents

Publication Publication Date Title
DE102015220224B4 (en) Method for protected communication of a vehicle
DE102012202420B4 (en) SYSTEMS AND METHOD FOR DEVICE AND DATA AUTHENTICATION
DE102012206341B4 (en) Joint encryption of data
WO2019034509A1 (en) PROCESS FOR SAFELY REPLACING A FIRST MANUFACTURER'S CERTIFICATE ALREADY PLACED IN A DEVICE
EP1368929B1 (en) Authentication method
EP3108610A1 (en) Method and system for creating and checking the validity of device certificates
EP3417395B1 (en) Proving authenticity of a device with the aid of proof of authorization
EP3465513B1 (en) User authentication by means of an id token
EP4147099A1 (en) System and method for verifying components of an industrial monitoring system
DE102009036179A1 (en) Method for issuing a digital certificate by a certification authority, arrangement for carrying out the method and computer system of a certification authority
EP4092958A1 (en) Issuing of a digital verifiable credential
DE102020205993B3 (en) Concept for the exchange of cryptographic key information
EP3422274A1 (en) Method for configuring or changing a configuration of a payment terminal and/or for allocating a payment terminal to an operator
DE102009032355A1 (en) Method and device for authenticating components within an ATM
EP3901714B1 (en) Method for verifying the authenticity of electronic modules of a modular field device of automation technology
EP3881486A1 (en) Method for providing a proof of origin for a digital key pair
EP2893668B1 (en) Method for generating a derived authority from an original data carrier
EP3767513B1 (en) Method for secure execution of a remote signature, and security system
EP1988484A2 (en) Copy-protected chip cards and method related to their production
DE102023115048B4 (en) METHOD FOR CONSTRUCTING A DECENTRALIZED DATA COMMUNICATION STRUCTURE WITHIN A SYSTEM WITH A MULTIPLE NUMBER OF COMPONENTS
EP3901715B1 (en) Method for verifying the authentic origin of electronic modules of a modular field device of automation technology
EP4436097A1 (en) Method and system for cryptographically secure data transmission
DE102015208178A1 (en) Providing long-term safety information
WO2009095143A1 (en) Asymmetrical cryptosystem
EP3832508A1 (en) Blocking or revoking a device certificate

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

B565 Issuance of search results under rule 164(2) epc

Effective date: 20210921

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20211109

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20230303

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/08 20060101ALN20240306BHEP

Ipc: G06F 21/70 20130101ALN20240306BHEP

Ipc: G06F 21/64 20130101ALI20240306BHEP

Ipc: H04L 9/32 20060101ALI20240306BHEP

Ipc: G05B 19/042 20060101AFI20240306BHEP

INTG Intention to grant announced

Effective date: 20240405

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 502021004366

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: GERMAN

P01 Opt-out of the competence of the unified patent court (upc) registered

Free format text: CASE NUMBER: APP_48907/2024

Effective date: 20240827

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241118

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241118

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241017

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241018

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241117

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241017

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241017

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241017

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241117

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20241018

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 502021004366

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: AT

Payment date: 20250417

Year of fee payment: 5

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20250422

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

REG Reference to a national code

Ref country code: CH

Ref legal event code: H13

Free format text: ST27 STATUS EVENT CODE: U-0-0-H10-H13 (AS PROVIDED BY THE NATIONAL OFFICE)

Effective date: 20251023

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250323

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20250323

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20250331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250331

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250323

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20240717

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20260319

Year of fee payment: 6